From owner-freebsd-ports Mon Jun 25 8:40:26 2001 Delivered-To: freebsd-ports@freebsd.org Received: from alcor.twinsun.com (alcor.twinsun.com [198.147.65.9]) by hub.freebsd.org (Postfix) with ESMTP id 2D91D37B401 for ; Mon, 25 Jun 2001 08:40:24 -0700 (PDT) (envelope-from eggert@twinsun.com) Received: from shade.twinsun.com ([192.54.239.27]) by alcor.twinsun.com (8.10.1/8.10.1) with ESMTP id f5PFeLl28116; Mon, 25 Jun 2001 08:40:21 -0700 (PDT) Received: (eggert@localhost) by shade.twinsun.com (8.10.2+Sun/8.10.2) id f5PFeLD02132; Mon, 25 Jun 2001 08:40:21 -0700 (PDT) Date: Mon, 25 Jun 2001 08:40:21 -0700 (PDT) From: Paul Eggert Message-Id: <200106251540.f5PFeLD02132@shade.twinsun.com> To: 3APA3A@SECURITY.NNOV.RU Cc: bug-gnu-utils@prep.ai.mit.edu, ports@FreeBSD.ORG In-reply-to: <136107973587.20010625185007@SECURITY.NNOV.RU> (3APA3A@SECURITY.NNOV.RU) Subject: Re: tar directory traversal References: <136107973587.20010625185007@SECURITY.NNOV.RU> Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > From: 3APA3A <3APA3A@SECURITY.NNOV.RU> > Date: Mon, 25 Jun 2001 18:50:07 +0400 > > tar checks for absolute path names beginning with '/' but it doesn't > for '../' it makes it possible to create tar archive which, then > extracted, will place some files in directory of archive author's > choice. It's a known problem. It is addressed to some extent in the latest test version of GNU tar (1.13.19). There are a few tricky holes even in 1.13.19, though, and I hope to have them closed in the next version. You can get test versions at: ftp://alpha.gnu.org/gnu/tar/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message